On 17.05.2011 18:19, Herman wrote:
I made a change to IPTables, and did a "service iptables restart", and next thing I knew, I had a split brain.
I would guess that the RHEL FW setup flushes the connection tracking tables and has a default drop (or reject) rule.
This would cause DRBDs TCP connections to time out eventually. Also, neither OCFS nor DLM react kindly when their communication link goes down.
Try to keep the FW setup from unloading the "nf_conntrack" module or otherwise fiddle with connection tracking. This should prevent any harm in the FW restart case.
In addaditon, if you expect any prolonged FW downtime to happen (for example: FW stop, explain situation to your boss, FW start), you may also like the usual "stateful accept" rule
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT to be present during the FW downtime.
_______________________________________________ drbd-user mailing list [email protected] http://lists.linbit.com/mailman/listinfo/drbd-user
